Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0544 Drupal Third Party-Modules: Multiple Vulnerabilities 17 June 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ubercart payment (third-party module) Studio theme pack (third-party theme) Ubercart MIGS Payment Gateway (third-party module) Content Construction Kit (CCK) (third-party module) Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://drupal.org/node/829412 http://drupal.org/node/829414 http://drupal.org/node/829528 http://drupal.org/node/829566 Comment: This bulletin contains four (4) Drupal security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2010-062 * Project: Ogone | Ubercart payment (third-party module) * Version: 5.x, 6.x * Date: 2010-June-16 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access Bypass - -------- DESCRIPTION - --------------------------------------------------------- Ogone | Ubercart payment is a payment module for Ubercart that integrates Ogone PSP gateway as a checkout method for Ubercart. The module does not always correctly verify the order status returned by the Ogone gateway, potentially allowing unpaid orders to be processed. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Ogone | Ubercart payment module for Drupal 5.x versions prior to 5.x-1.6 * Ogone | Ubercart payment module for Drupal 6.x versions prior to 6.x-1.5 Drupal core is not affected. If you do not use the contributed Ogone | Ubercart payment [1] module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version: * If you use the Ogone | Ubercart payment module for Drupal 5.x upgrade to Ogone | Ubercart payment 5.x-1.6 [2] * If you use the Ogone | Ubercart payment module for Drupal 6.x upgrade to Ogone | Ubercart payment 6.x-1.5 [3] See also the Ogone | Ubercart payment project page [4]. - -------- REPORTED BY - --------------------------------------------------------- * Arjean [5] - -------- FIXED BY - ------------------------------------------------------------ * Kees Kodde (kees@qrios [6]), module maintainer - -------- CONTACT - ------------------------------------------------------------- The Drupal security team [7] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/uc_ogone [2] http://drupal.org/node/828320 [3] http://drupal.org/node/828318 [4] http://drupal.org/project/uc_ogone [5] http://drupal.org/user/331955 [6] http://drupal.org/user/48715 [7] http://drupal.org/security-team _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-063 * Project: Studio theme pack (third-party theme) * Version: 6.x * Date: 2010-June-16 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- Studio theme pack is a set of themes for use as a base in creating a new theme. The Canvas-theme, part of Studio theme pack and used as base theme for the Workspace and Paint themes, also included in Studio theme pack, does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Studio theme pack Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Studio theme pack [2] theme, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version: * If you use the Studio theme pack theme for Drupal 6.x upgrade to Studio theme pack 6.x-1.2 [3] See also the Studio theme pack project page [4]. - -------- REPORTED BY - --------------------------------------------------------- * Pelle Wessman - -------- FIXED BY - ------------------------------------------------------------ * Al Steffen (Zarabadoo [5]), theme maintainer - -------- CONTACT - ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/studio [3] http://drupal.org/node/829292 [4] http://drupal.org/project/studio [5] http://drupal.org/user/103935 [6] http://drupal.org/security-team _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-064 * Project: Ubercart MIGS Payment Gateway (third-party module) * Versions: 6.x * Date: 2010-Jun-16 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Web Parameter Tampering The Ubercart MIGS Payment Gateway module provides support for the MIGS 3rd-party payment gateway used by ANZ, Commonwealth Bank, Bendigo Bank, and various other banks worldwide for payment processing. This module was susceptible to web parameter tampering [1] which allowed users to bypass paying the full amount due on checkout. The amount paid was correctly recorded against the order, but certain site configurations might allow purchases to be delivered despite incomplete payment. This has been resolved in the latest release, which also incorporates other features to match bank requirements. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Ubercart MIGS Payment Gateway for Drupal 6.x prior to uc_migs-6.x-1.2. Drupal core is not affected. If you do not use the contributed Ubercart MIGS module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version: * If you use uc_migs for Drupal 6.x upgrade to uc_migs-6.x-1.2 [2]. See also the Ubercart MIGS Gateway project page [3]. - -------- REPORTED BY - --------------------------------------------------------- Chris Burgess [4], the uc_migs maintainer. - -------- FIXED BY - ------------------------------------------------------------ Chris Burgess - -------- CONTACT - ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://www.owasp.org/index.php/Web_Parameter_Tampering [2] http://drupal.org/node/828614 [3] http://drupal.org/project/uc_migs [4] http://drupal.org/user/76026 _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-065 * Project: Content Construction Kit (CCK) (third-party module) * Version: 5.x, 6.x * Date: 2010-June-16 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass - -------- DESCRIPTION - --------------------------------------------------------- The Content Construction Kit (CCK) project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module can be configured to display referenced nodes as hidden, title, teaser or full view. Node access was not checked when displaying these which could expose view access on controlled nodes to unprivileged users. In addition, Node Reference provides a backend URL that is used for asynchronous requests by the "autocomplete" widget to locate nodes the user can reference. This was not checking that the user had field level access to the source field, allowing direct queries to the backend URL to return node titles and IDs which the user would otherwise be unable to access. Note that as Drupal 5 CCK does not have any field access control functionality, this issue only applies to the Drupal 6 version. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Content Construction Kit (CCK) module for Drupal 5.x versions prior to 5.x-1.11 * Content Construction Kit (CCK) module for Drupal 6.x versions prior to 6.x-2.7 Drupal core is not affected. If you do not use the contributed Content Construction Kit (CCK) [1] module, together with any node or field access module there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version: * If you use the Content Construction Kit (CCK) module for Drupal 5.x upgrade to Content Construction Kit (CCK) 5.x-1.11 [2] * If you use the Content Construction Kit (CCK) module for Drupal 6.x upgrade to Content Construction Kit (CCK) 6.x-2.7 [3] See also the Content Construction Kit (CCK) project page [4]. - -------- REPORTED BY - --------------------------------------------------------- * recrit [5] * Marc Ferran (markus_petrux) [6], module co-maintainer - -------- FIXED BY - ------------------------------------------------------------ * Yves Chedemois (yched) [7], module co-maintainer * Marc Ferran (markus_petrux) [8], module co-maintainer * Karen Stevenson (KarenS) [9], module co-maintainer - -------- CONTACT - ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/cck [2] http://drupal.org/node/828986 [3] http://drupal.org/node/828988 [4] http://drupal.org/project/cck [5] http://drupal.org/user/452914 [6] http://drupal.org/user/39593 [7] http://drupal.org/user/39567 [8] http://drupal.org/user/39593 [9] http://drupal.org/user/45874 [10] http://drupal.org/security-team _______________________________________________ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFMGWjf/iFOrG6YcBERApSDAKCFaDtKVqAfQgczvQjLLt2PVo2ehACgsPI9 RDVCl0ra+k1sqO3FZ4wyovM= =64KG -----END PGP SIGNATURE-----